CIPP-E Online Practice Questions and Answers

What is the main task of the European Data Protection Board?

A. To assess adequacy of data protection in third countries

B. To ensure consistent application of the GDPR.

C. To proactively prevent disputes between national supervisory authorities.

D. To publish guidelines tor data subjects on how to property enforce their rights

For which of the following operations would an employer most likely be justified in requesting the data subject's consent?

A. Posting an employee's bicycle race photo on the company's social media.

B. Processing an employee's health certificate in order to provide sick leave.

C. Operating a CCTV system on company premises.

D. Assessing a potential employee's job application.

A worker in a European Union (EU) member state has ceased his employment with a company. What should the employer most likely do in regard to the worker's personal data?

A. Destroy sensitive information and store the rest per applicable data protection rules.

B. Store all of the data in case the departing worker makes a subject access request.

C. Securely store the data that is required to be kept under local law.

D. Provide the employee the reasons for retaining the data.

SCENARIO

Please use the following to answer the next question:

Jack worked as a Pharmacovigiliance Operations Specialist in the Irish office of a multinational pharmaceutical company on a clinical trial related to COVID-19. As part of his onboarding process Jack received privacy training He was explicitly informed that while he would need to process confidential patient data in the course of his work, he may under no circumstances use this data for anything other than the performance of work-related (asks This was also specified in the privacy policy, which Jack signed upon conclusion of the training.

After several months of employment, Jack got into an argument with a patient over the phone. Out of anger he later posted the patient's name and hearth information, along with disparaging comments, on a social media website. When this was discovered by his Pharmacovigilance supervisors. Jack was immediately dismissed

Jack's lawyer sent a letter to the company stating that dismissal was a disproportionate sanction, and that if Jack was not reinstated within 14 days his firm would have no alternative but to commence legal proceedings against the company. This letter was accompanied by a data access request from Jack requesting a copy of "all personal data, including internal emails that were sent/received by Jack or where Jack is directly or indirectly identifiable from the contents In relation to the emails Jack listed six members of the management team whose inboxes he required access.

The company conducted an initial search of its IT systems, which returned a large amount of information They then contacted Jack, requesting that he be more specific regarding what information he required, so that they could carry out a targeted search Jack responded by stating that he would not narrow the scope of the information requester.

Under Article 82 of the GDPR ("Right to compensation and liability-), which party is liable for the damage caused by the data breach?

A. Both parties are exempt, as the company is involved in human health research

B. Jack and the pharmaceutical company are jointly liable.

C. The pharmaceutical company is liable.

D. Jack is liable

Company X has entrusted the processing of their payroll data to Provider Y. Provider Y stores this encrypted data on its server. The IT department of Provider Y finds out that someone managed to hack into the system and take a copy of the data from its server. In this scenario, whom does Provider Y have the obligation to notify?

A. The public

B. Company X

C. Law enforcement

D. The supervisory authority

SCENARIO Please use the following to answer the next question:

Gentle Hedgehog Inc. is a privately owned website design agency incorporated in Italy. The company has numerous remote workers in different EU countries. Recently, the management of Gentle Hedgehog noticed a decrease in productivity

of their sales team, especially among remote workers. As a result, the company plans to implement a robust but privacy-friendly remote surveillance system to prevent absenteeism, reward top performers, and ensure the best quality of

customer service when sales people are interacting with customers.

Gentle Hedgehog eventually hires Sauron Eye Inc., a Chinese vendor of employee surveillance software whose European headquarters is in Germany. Sauron Eye s software provides powerful remote-monitoring capabilities, including 24/7

access to computer cameras and microphones, screen captures, emails, website history, and keystrokes. Any device can be remotely monitored from a central server that is securely installed at Gentle Hedgehog headquarters. The

monitoring is invisible by default; however, a so-called Transparent Mode, which regularly and conspicuously notifies all users about the monitoring and its precise scope, also exists. Additionally, the monitored employees are required to use

a built-in verification technology involving facial recognition each time they log in.

All monitoring data, including the facial recognition data, is securely stored in Microsoft Azure cloud servers operated by Sauron Eye, which are physically located in France.

What is the main problem with the 24/7 camera monitoring?

A. It must not be operated during non-business hours and employee holidays.

B. It may accidentally film third parties whose consent is required for monitoring.

C. It has no valid legal basis to be implemented in the context of Gentle Hedgehog's business.

D. It must first be approved by the trade union and then granted a license from the national DPA.

A company plans to transfer employee health information between two of its entities in France. To maintain the security of the processing, what would be the most important security measure to apply to the health data transmission?

A. Inform the data subject of the security measures in place.

B. Ensure that the receiving entity has signed a data processing agreement.

C. Encrypt the transferred data in transit and at rest.

D. Conduct a data protection impact assessment.

What permissions are required for a marketer to send an email marketing message to a consumer in the EU?

A. A prior opt-in consent for consumers unless they are already customers.

B. A pre-checked box stating that the consumer agrees to receive email marketing.

C. A notice that the consumer's email address will be used for marketing purposes.

D. No prior permission required, but an opt-out requirement on all emails sent to consumers.

A dynamic Internet Protocol (IP) address is considered persona! data when it is combined with what?

A. Other data held by the processor.

B. Other data held by the controller

C. Other data held by recipients of the data.

D. Other data held by Internet Service Providers (ISPs).

SCENARIO

Please use the following to answer the next question:

BHealthy, a company based in Italy, is ready to launch a new line of natural products, with a focus on sunscreen. The last step prior to product launch is for BHealthy to conduct research to decide how extensively to market its new line of sunscreens across Europe. To do so, BHealthy teamed up with Natural Insight, a company specializing in determining pricing for natural products. BHealthy decided to share its existing customer information ?name, location, and prior purchase history ?with Natural Insight. Natural Insight intends to use this information to train its algorithm to help determine the price point at which BHealthy can sell its new sunscreens.

Prior to sharing its customer list, BHealthy conducted a review of Natural Insight's security practices and concluded that the company has sufficient security measures to protect the contact information. Additionally, BHealthy's data processing contractual terms with Natural Insight require continued implementation of technical and organization measures. Also indicated in the contract are restrictions on use of the data provided by BHealthy for any purpose beyond provision of the services, which include use of the data for continued improvement of Natural Insight's machine learning algorithms.

In which case would Natural Insight's use of BHealthy's data for improvement of its algorithms be considered data processor activity?

A. If Natural Insight uses BHealthy's data for improving price point predictions only for BHealthy.

B. If Natural Insight receives express contractual instructions from BHealthy to use its data for improving its algorithms.

C. If Natural Insight agrees to be fully liable for its use of BHealthy's customer information in its product improvement activities.

D. If Natural Insight satisfies the transparency requirement by notifying BHealthy's customers of its plans to use their information for its product improvement activities.